<div dir="ltr">For the record, adding a new zone not previously managed by ODS works well on the same setup, policy and all.<div><br></div><div>Emil</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 18, 2014 at 6:05 PM, Emil Natan <span dir="ltr"><<a href="mailto:shlyoko@gmail.com" target="_blank">shlyoko@gmail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Sion,<br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Thu, Dec 18, 2014 at 4:52 PM, Siôn Lloyd <span dir="ltr"><<a href="mailto:sion@nominet.org.uk" target="_blank">sion@nominet.org.uk</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On 18/12/14 12:38, Emil Natan wrote:<br>
> Hello,<br>
><br>
> Can someone please explain when and why keys are created "NOT IN<br>
> repository"?<br>
<br>
</span>Hi Emil,<br>
<br>
Is there a chance that these keys were created and then deleted? That is<br>
the most likely scenario I can think of.<br>
<br></blockquote><div><br></div></span><div>I do not think that's the case. I had this zone managed by ODS once, but since then I wiped both the HSM and ODS database and the zone was commented in zonelist.conf.</div><div>Today I enabled the zone and I see in the log file:</div><div><br></div><div><div>Dec 18 14:22:04 debugsigner002 ods-enforcerd: Key sharing is Off.</div><div>Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 zone(s) found on policy "testpolicy"</div><div>Dec 18 14:22:04 debugsigner002 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) - keys_available(0).</div><div>Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created key in repository Keyper</div><div>Dec 18 14:22:16 debugsigner002 ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 328387cdfb9fae6a5bf27082dc0b858b in repository: Keyper and database.</div><div>Dec 18 14:22:16 debugsigner002 ods-enforcerd: 1 new ZSK(s) (1024 bits) need to be created for policy testpolicy: keys_to_generate(1) = keys_needed(1) - keys_available(0).</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created key in repository Keyper</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Created ZSK size: 1024, alg: 8 with id: 6833a76d1e0834504e43c1ae47b66646 in repository: Keyper and database.</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: NOTE: keys generated in repository Keyper will not become active until they have been backed up</div></div><div><br></div><div>It looks like the keys were just created.</div><div><br></div><div>Later in the log:</div><div><br></div><div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Zone <a href="http://w3c.org" target="_blank">w3c.org</a> found.</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy for <a href="http://w3c.org" target="_blank">w3c.org</a> set to testpolicy.</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Policy testpolicy found in DB.</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Config will be output to /ods-data/var/opendnssec/signconf/w3c.org.xml.</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: ZSK key allocation for zone <a href="http://w3c.org" target="_blank">w3c.org</a>: 1 key(s) allocated</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: KSK key allocation for zone <a href="http://w3c.org" target="_blank">w3c.org</a>: 1 key(s) allocated</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: KsmRequestKeys returned: 65562</div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Signconf not written for <a href="http://w3c.org" target="_blank">w3c.org</a></div><div>Dec 18 14:22:19 debugsigner002 ods-enforcerd: Disconnecting from Database...</div></div><div><br></div><div>and later:</div><div><br></div><div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [hsm] unable to get key: key 328387cdfb9fae6a5bf27082dc0b858b not found</div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [zone] unable to publish dnskeys for zone <a href="http://w3c.org" target="_blank">w3c.org</a>: error creating dnskey</div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [tools] unable to read zone <a href="http://w3c.org" target="_blank">w3c.org</a>: failed to publish dnskeys (General error)</div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] CRITICAL: failed to sign zone <a href="http://w3c.org" target="_blank">w3c.org</a>: General error</div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] backoff task [read] for zone <a href="http://w3c.org" target="_blank">w3c.org</a> with 60 seconds</div><div>Dec 18 14:25:53 debugsigner002 ods-signerd: [worker[1]] finished working on zone <a href="http://w3c.org" target="_blank">w3c.org</a>.</div></div><div><br></div><div>And my question is if there was a problem to create the keys in the HSM, why are they created out of it? Isn't it better if the process just stops? And where the keys actually exist if not in the repository? They idea was to use ODS always with HSM.</div><div>Thanks.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Emil</div></font></span><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
If not, were any errors logged during key generation?<br>
<br>
Sion<br>
<span><br>
><br>
> root@debugsigner002:~# ods-ksmutil key list --zone <a href="http://w3c.org" target="_blank">w3c.org</a><br>
</span>> <<a href="http://w3c.org" target="_blank">http://w3c.org</a>> -v<br>
<span>> Zone: Keytype: State: Date of next<br>
> transition (to): Size: Algorithm: CKA_ID:<br>
> Repository: Keytag:<br>
</span>> <a href="http://w3c.org" target="_blank">w3c.org</a> <<a href="http://w3c.org" target="_blank">http://w3c.org</a>> KSK publish<br>
<span>> 2014-12-18 18:30:53 (ready) 2048 8<br>
> 328387cdfb9fae6a5bf27082dc0b858b Keyper NOT IN repository<br>
</span>> <a href="http://w3c.org" target="_blank">w3c.org</a> <<a href="http://w3c.org" target="_blank">http://w3c.org</a>> ZSK active<br>
<span>> 2015-04-21 14:25:53 (retire) 1024 8<br>
> 6833a76d1e0834504e43c1ae47b66646 Keyper NOT IN repository<br>
><br>
> Thanks.<br>
> Emil<br>
><br>
><br>
</span>> _______________________________________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
><br>
<br>
_______________________________________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org" target="_blank">Opendnssec-user@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
</blockquote></span></div></div></div>
</blockquote></div></div>